Risk Tolerance
What is Risk Tolerance?
Risk ToleranceThe acceptable variation around a specific objective or risk category, expressed as concrete quantitative or qualitative limits derived from the broader risk appetite.
Risk tolerance translates strategic risk appetite into operational limits that teams can monitor and enforce. While appetite is usually qualitative and overarching, tolerance is more granular: maximum acceptable downtime, monetary loss thresholds, allowed number of high-severity incidents per year, or capital ratios. Breaching a tolerance is a trigger for escalation, additional treatment, or governance review. Well-defined tolerances enable consistent decision-making in projects, vendor onboarding, and incident response and provide measurable evidence to regulators and auditors. Many frameworks (ISO 31000, COSO ERM, Basel-style operational risk) distinguish carefully between appetite, tolerance, and capacity.
● Examples
- 01
Maximum tolerable outage of 4 hours for tier-1 customer-facing services.
- 02
No more than 2 high-severity data privacy incidents per fiscal year.
● Frequently asked questions
What is Risk Tolerance?
The acceptable variation around a specific objective or risk category, expressed as concrete quantitative or qualitative limits derived from the broader risk appetite. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Risk Tolerance mean?
The acceptable variation around a specific objective or risk category, expressed as concrete quantitative or qualitative limits derived from the broader risk appetite.
How does Risk Tolerance work?
Risk tolerance translates strategic risk appetite into operational limits that teams can monitor and enforce. While appetite is usually qualitative and overarching, tolerance is more granular: maximum acceptable downtime, monetary loss thresholds, allowed number of high-severity incidents per year, or capital ratios. Breaching a tolerance is a trigger for escalation, additional treatment, or governance review. Well-defined tolerances enable consistent decision-making in projects, vendor onboarding, and incident response and provide measurable evidence to regulators and auditors. Many frameworks (ISO 31000, COSO ERM, Basel-style operational risk) distinguish carefully between appetite, tolerance, and capacity.
How do you defend against Risk Tolerance?
Defences for Risk Tolerance typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Risk Tolerance?
Common alternative names include: Risk tolerance levels, Risk thresholds.
● Related terms
- compliance№ 934
Risk Appetite
The aggregate amount and type of risk an organization is willing to pursue or accept in pursuit of its strategic objectives, set by the board and senior leadership.
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- compliance№ 383
Enterprise Risk Management (ERM)
An integrated, organization-wide approach to identifying, governing, and treating strategic, financial, operational, compliance, and cyber risks in line with business objectives.
- compliance№ 923
Residual Risk
The risk that remains after planned controls and treatments have been applied, which the organization must either accept, transfer, or treat further.
- compliance№ 939
Risk Treatment
The decision and actions taken to modify a risk, typically by accepting, mitigating, transferring, or avoiding it, based on the organization's risk criteria.
- compliance№ 937
Risk Register
A living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.